Facebook has started to encrypt links to counter privacy-improving URL Stripping
Facebook has started to use a different URL scheme for site links to combat URL stripping technologies that browsers such as Firefox or Brave use to improve privacy and prevent user tracking.
Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.
Update: Facebook contacted us to provide us with their side of the story. According to the company, the change has nothing to do with URL stripping and user tracking, but as a countermeasure against scrapers.
"We changed the ID component of these URLs as a privacy measure intended to deter scrapers from collecting and potentially misusing people's Facebook IDs. These modified IDs aren’t used to track people, and have not been designed to prevent browser tools from removing tracking components from the URL." - a Meta spokesperson
Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser's Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.
Both web browsers use lists of known tracking parameters for the functionality. The lists need to be updated whenever sites change tracking parameters.
Facebook could have changed the scheme that it is using, but this would have given Facebook only temporary recourse. It appears that Facebook is using encryption now to track users.
Previously, Facebook used the parameter fbclid for tracking purposes. Now, it uses URLs such as https://www.facebook.com/ghacksnet/posts/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl?__cft__=AZXT7WeYMEs7icO80N5ynjE2WpFuQK61pIv4kMN-dnAz27-UrYqrkv52_hQlS_TuPd8dGUNLawATILFs55sMUJvH7SFRqb_WcD6CCOX_zYdsebOW0TWyJ9gT2vxBJPZiAaEaac_zQBShE-UEJfatT-JMQT5-bvmrLz7NlgwSeL6fGKH9oY9uepTio0BHyCmoY1A&__tn__=%2CO%2CP-R instead.
The main issue here is that there it is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address. Removing the entire construct after the ? would open the main Facebook page of Ghacks Technology News, but it won't open the linked post.
Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.
There is no option currently to prevent Facebook's tracking of users via links. Users could avoid Facebook, but that may not be possible all the time. URL tracking does not help much if other tracking means, e.g., through cookies or site data, are not available. While Facebook gets some information from URL-based tracking, it can't link it if no persistent data is available.
Users who don't sign into Facebook and clear cookies and site data regularly, may avoid most of the company's tracking.
Now You: what is your take on this development? Beginning of a cat and mouse game, or game over for privacy already? (thanks N.J.)Advertisement